The perks that have always been attached to Apple Pay are the simplicity, speed and convenience of the mobile payment option. But does easy always mean better? The spike in fraud has some security experts doubting the security measures behind Apple Pay.
While Apple Pay has been defending its security, there’s a debate ensuing about just how secure the mobile payment option is. In a statement to The Washington Post, Apple wrote: “Apple Pay is designed to be extremely secure and protect a user’s personal information. During setup, Apple Pay requires banks to verify each and every card and the bank then determines and approves whether a card can be added to Apple Pay. Banks are always reviewing and improving their approval process, which varies by bank.”
A Washington Post article cites Cherian Abraham, a mobile payments advisor with Experian Global Consulting, who suggested Apple may not be doing enough to prevent consumers from committing fraudulent payments. And according to the article, he believes up to “6 percent of Apple Pay purchases are completed with stolen cards.”
And that’s why there are skeptics, and why the term “Apple Pay fraud,” has been floating around in recent news stories. Some security analysts say that Apple doesn’t have enough security in place to prevent breaches, suggesting that the setup process is too simple. Others have said that Apple didn’t do enough to work with banks to ensure the proper steps are taken to prevent fraud from occurring.
“A lot of the fraud people [at banks] were annoyed that they rushed into it without thinking it through,” Avivah Litan, a security analyst for Gartner, told The Washington Post. “You can’t count on iTunes at all — they should use their own processes and their own records.”
But as Apple banked on its simplicity pitch, did they overlook some necessary security identification steps when users set up their Apple Pay? With all the Apple Pay buzz going on, another analyst suggested some necessary practices may have been overlooked.
“The issuers were probably so eager to be involved that they kind of forgot best practices and sidestepped some procedures they normally would’ve had [in order] to accept Apple Pay,” Michelle Evans, senior analyst for consumer finance at market research firm Euromonitor, told The Washington Post.
Reports about potential Apple Pay fraud show that instead of trying to hack Apple, thieves instead are merely swiping credit card information and fraudulently creating Apple Pay accounts with them. As PYMNTS reported earlier this month, a credit or debit card can only be added to Apple Pay when its issuing bank beams over an encrypted version of the card details to store on the phone – which it should only do when certain the real owner is using it. U.S. banks are using a “green path” for cards approved immediately without concerns and a “yellow path” for cards requiring more checks. It is that “yellow path” verification that is causing a problem, since in some cases banks are not asking enough questions and in other cases they are allowing callers to verify their identity with nothing more than the last four digits of their Social Security number.
MPD CEO Karen Webster, however, says it’s worth noting that the Apple Pay fraud term may be misleading since, as she noted “it isn’t the Apple Pay mobile transaction protocol that’s vulnerable, it’s the process of account provisioning that is the back door through which the bad guys entered.” And, as we’ve heard repeatedly from experts who deal with fraud on a daily basis, she said, crooks always find the weakest link and exploit it. That weak link Webster points out, was first the merchant POS sale environment which was compromised, which then made Apple Pay account provisioning so much easier.
“It’s worth re-emphasizing that Apple Pay’s fraud problem isn’t because criminals hacked into existing Apple Pay user accounts, stole credentials and then shopped up a storm,” Webster wrote. “Apple Pay’s fraud ‘problem’ stems from account takeovers in which cybercriminals – very smart cybercriminals, I’ll add – used stolen card numbers to set up iTunes accounts, and then used those iTunes accounts to provision new Apple Pay accounts. And then shopped up a storm.”
Regardless of who’s to blame in spreading the “Apple Pay fraud” fear, there’s some real friction being created, perhaps also because of all the press. And there’s reason for concern from merchants, one analyst says, based on who would have to pay for the fraudulent purchases.
“I think there is a legitimate concern for online merchants,” Amitabh Saxena, the founder of the digital-payment consulting firm Digital Disruptions, told The Washington Post. “They’ll want to know how many bad cards are in the system, and that might give them a little more pause.”
But like Webster said, there will always be cybercriminals who know how to hack the system, but whether that system will be Apple Pay remains to be seen. Webster also pointed out that PayPal had this problem more than 15 years ago – and decided that it was better to encounter a little bit of fraud than to impose a whole lot of friction on the system that left them without either consumers or merchants. She points out that they were willing to take on the risk that the banks at the time, weren’t. Perhaps, taking a page from that lesson book, Apple and Apple Pay, she thinks correctly, recognized that the easiest way to get consumers on board was to make it easy for their iTunes customer base to convert those registered cards to Apple Pay accounts.